Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers
From URL to UR-Hell
Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed.
According to findings published Wednesday by Zach Edwards, of digital strategy firm Victory Medium, these businesses have spilled these contact details to advertising networks and the like over the past few years. Among those websites identified by Edwards – a group that also includes Mailchimp, The Washington Post, NGPVan.com, KongHQ, and GrowingChild.com – some promptly altered their websites when notified of the issue, but others have not.
And while this disclosure of email addresses to third parties may well be covered in high-level terms buried in corporations' privacy policies, it's a reminder of just how easy it is for websites to pass along your personal contact details in a blink of an eye without you realizing.
Netizens using web browsers that prioritize defenses against ad tracking, such as Brave, Firefox, and Safari, or who have installed suitable privacy extensions in other browsers, may have avoided having their email addresses spirited away.
How it happens
When someone tries to visit a page on a website – by clicking on a link or button, say – their browser constructs a HTTP request for that page, and sends it to the website. That request contains a URL address for the page, and this URL can contain information relevant to the request. The HTTP request also can contain what's called a referer header, which specifies the URL for the webpage you just visited.
Quibi, the recently launched short video sharing app, was doing just that, said Edwards. When a new user signed up with an email address, that person received an email with an account creation confirmation link. Clicking on that link took the netizen to a webpage with the following URL, which contained their account email address:
JetBlue, it's claimed, similarly leaked email addresses from a signup webpage, and was alerted to the shortcoming in March. "After being informed of the leak, JetBlue stated they would never do what they are doing because it would be against the law," Edwards said in his report.
For the past two years, Wish.com has been transmitting millions of email addresses, in base64 encoding, which is not encryption, we're told.
"From July 2018 until January 2020 when this research was initially shared with Wish.com, Wish transmitted user emails to at least Google, Facebook, Pinterest, Criteo, PayPal and Stripe, and potentially other companies," Edwards said. Several thousand of these messages apparently have been cached by search engines such as URLscan.io.
You had one job, Cupertino: Apple's Intelligent Tracking Protection actually gets tracking protectionREAD MORE
Glenn Lehrman, veep and head of communications at Wish.com, told The Register the company considers data protection and user trust a top priority. He said after receiving Edwards' report earlier this year, the biz made some changes, including adding encryption to protect user email addresses in transit.
Lehrman said he disagreed with Edwards' findings, noting that the websites receiving the email addresses act as service providers, performing advertising and sales support functions.
"Zach takes issue with the specific manner in which web referer data was encoded (into a non-human readable string) and surmises that large service providers theoretically could have first ingested and then taken steps to decode that data," said Lehrmann. "We have no reason to believe that occurred. Certainly, these companies had no reason to do so, and in any event, it certainly is not a 'breach' to provide a service provider with such encoded information."
Email addresses are considered Personally Identifiable Information under Europe's General Data Protection Regulation, Edwards told The Register. Exposing this data could pose problems to companies operating in Europe.
The California Consumer Privacy Act is less clear. "That's why Wish said all its ad tech partners were 'service providers' – this is the one opening in the CCPA to be able to share data this way," he added.
Even so, Edwards believes none of the organizations he identified made this data sharing sufficiently clear in their privacy policies.
Edwards said he doubts these leaks are accidental. "It’s definitely not an accident when most organizations do this," he said, noting that the practice is a widely known and heavily used "growth hack."
"It improves retargeting opportunities and improves attribution in analytics systems," he said. "Ad tech Companies like Adroll had a 'data shotgun' that grabbed emails in URls for years and this is a known strategy. Liveramp has a user graph with huge amounts of emails and tons of ad networks have email matching like Facebook Custom Audience. Email being pushed to ad networks is almost always on purpose and it's profitable for folks who do it." ®